Open c4-bot-5 opened 10 months ago
raymondfam marked the issue as sufficient quality report
raymondfam marked the issue as duplicate of #111
raymondfam marked the issue as duplicate of #519
raymondfam marked the issue as duplicate of #15
MarioPoneder changed the severity to QA (Quality Assurance)
MarioPoneder marked the issue as grade-b
Lines of code
https://github.com/code-423n4/2023-12-revolutionprotocol/blob/main/packages/revolution/src/CultureIndex.sol#L322 https://github.com/code-423n4/2023-12-revolutionprotocol/blob/main/packages/revolution/src/MaxHeap.sol#L132-L151
Vulnerability details
Impact
The
MaxHeap
contract, as currently implemented, poses a significant risk in terms of gas consumption and potential Denial of Service (DoS) attacks. The primary issue arises when the heap grows so large that the values of items are minimally different from each other. In such a scenario, updating an item's value could result in numerous swaps to maintain the heap's max-heap property, leading to excessive gas costs.This issue is particularly acute for users with high voting power in the context of the voting mechanism that interacts with the
MaxHeap
.https://github.com/code-423n4/2023-12-revolutionprotocol/blob/main/packages/revolution/src/CultureIndex.sol#L322
As the heap size increases and the differences between item values decrease, the cost of maintaining the heap structure becomes prohibitively high. This can lead to a scenario where significant voters are effectively unable to participate due to gas limitations, resulting in a de facto DoS condition.
Voters have no other options except to:
This could significantly disrupt the normal functioning of the contract and the associated voting mechanism. If left unaddressed, it could lead to increased costs for users, restricted participation, and potential manipulation of the voting process by those willing to pay higher gas fees.
Proof of Concept
The issue is inherent in the design and implementation of the
MaxHeap
contract.https://github.com/code-423n4/2023-12-revolutionprotocol/blob/main/packages/revolution/src/MaxHeap.sol#L132-L151
Specifically, the
updateValue
function above is designed to adjust an item's position in the heap to maintain the max-heap property. In a scenario where the heap is large and the value differences between items are minimal, this function will result in a high number of swaps in the while loop ormaxHeapify()
in the else clause.https://github.com/code-423n4/2023-12-revolutionprotocol/blob/main/packages/revolution/src/MaxHeap.sol#L83-L113
Each swap operation involves multiple state changes, including updating mappings for heap positions and item values. These state changes are gas-intensive operations in the Ethereum Virtual Machine (EVM). The problem is exacerbated as the heap grows in size, leading to an increased number of swaps and, consequently, higher gas costs.
Tools Used
Manual
Recommended Mitigation Steps
Heap Size Limit: Implementing a limit on the size of the heap can help manage the gas costs. Once the limit is reached, new items can only be added if they have a higher value than a minimum value in the heap. This would require users with certain voting weight to create a new piece.
Gas Optimization: Review and optimize the smart contract code for gas efficiency. This can include minimizing state changes and optimizing the logic in the
maxHeapify
andupdateValue
functions.Alternative Data Structures: Consider using different data structures that might be more gas-efficient for your specific use case, like a sorted list or a balanced binary tree.
Off-Chain Calculations: For applications where immediate on-chain sorting is not critical, you could move some of the heap management off-chain and only update the on-chain data periodically or under certain conditions.
Gas Refund Mechanism: Implement a mechanism to refund gas for users who contribute significantly to the maintenance of the heap structure.
Assessed type
DoS